Scottish Legal Aid Board - About the Public Records ... … · Web viewA key part of SLAB’s responsibilities is to administer the demand-led funding available for legal aid and

Scottish Legal Aid Board RECORDS MANAGEMENT PLAN Version 05

1

Records Management Plan

July 2013


RECORDS MANAGEMENT PLAN

Summary

The Scottish Legal Aid Board is fully committed to compliance with the requirements of the Public Records (Scotland) Act, which came into force on the 1st January 2013. The Board will therefore follow procedures that aim to ensure that all employees, contractors, agents, consultants and other trusted third parties who have access to any information held by or on behalf of the Board, are fully aware of and abide by their duties under the Act.

Document ControlOwner:

Document Control: V0.5Date Live from:

Review/Approval Group: PRSA Project BoardLast Reviewed:

Review Due/Cycle: AnnuallyDocument Change Log

Version/Author Date CommentV0.1 Deborah Dillon Jan 13 DraftV0.2 Nick Macdonald Mar 13 DraftV0.3 Deborah Dillon May 13 Incorporating evidenceV0.4 David Montgomery June 13 RevisionsV0.5 Carolyn Pearson July 13 Revisions

2


Contents

About the Public Records (Scotland) Act 2011............................................................4

About the Scottish Legal Aid Board.............................................................................4

Records Management Maturity Model........................................................................4

The benefits of using the Maturity Model.................................................................5

Maturity Model Structure.........................................................................................5

Element 1: Senior management responsibility:...........................................................6

Element 2: Records manager responsibility:...............................................................7

Element 3: Records management policy statement:...................................................8

Element 4: Business classification..............................................................................9

Element 5: Retention schedules................................................................................11

Element 6: Destruction arrangements.......................................................................12

Element 7: Archiving and transfer arrangements......................................................13

Element 8: Information Security................................................................................14

Element 9: Data protection........................................................................................16

Element 10: Business continuity and vital records....................................................17

Element 11: Audit trail................................................................................................19

Element 12: Competency framework for records management staff........................20

Element 13: Assessment and review.......................................................................21

Element 14: Shared Information...............................................................................22

Appendix A................................................................................................................23

Records Management Maturity Model and Action Plan – Summary Report.............23

3


About the Public Records (Scotland) Act 2011

The Public Records (Scotland) Act 2011 (the Act) came into force on the 1st January 2013, and requires the Scottish Legal Aid Board to submit a records management plan (RMP) to be agreed by the Keeper of the Records of Scotland (the Keeper). This document is the Records Management Plan of the Scottish Legal Aid Board and is to be submitted to the Keeper of the Records of Scotland on 28th June 2012.

In order to create the Scottish Legal Aid Board’s Records Management Plan and comply with the provisions contained within the Public Records (Scotland) Act 2011, the Elements contained within the ‘Act’ existing within the Scottish Legal Aid Board have been self assessed using the Records Management Maturity Model1 whilst also being mapped against ISO 15489-1: 2001 Records Management2.

About the Scottish Legal Aid Board

The Scottish Legal Aid Board (“SLAB”) was set up in 1987 to manage the legal aid system in Scotland. We are a Non-Departmental Public Body responsible to the Scottish Government. A key part of SLAB’s responsibilities is to administer the demand-led funding available for legal aid and to provide access to justice for those eligible and in need of it, in a cost-effective manner. SLAB advises Scottish Ministers on the operation of the legal aid system and makes proposals for ways to develop it.

Our work is overseen by a non-executive Board; its Chairman and members are appointed by Scottish Ministers, following a public appointments process. The number of members is currently 11 but can vary from 11-15. To give a balanced range of knowledge and experience, they include people with a background in business, the advice sector and the wider community as well as solicitors and advocates and people with knowledge of court procedure and practice. The executive management is headed by the Chief Executive, who is also the Accountable Officer, and is supported by three directors and a Principal Legal Adviser.

Records Management Maturity Model

Effective records management has the potential to enable Public Sector organisations to realise many other benefits alongside compliance with the Public

1 Records Management Maturity Model – www.jiscinfonet.ac.uk/records-management/measuring-impact/maturity-model 2 ISO (the International Organization for Standardisation) 15489 -1 applies to all records in any format or media, created or received by any public or private organisation during the course of its activities. Thus, ISO 15489 systems may be interpreted as paper, microform or electronic.

4

http://www.jiscinfonet.ac.uk/records-management/measuring-impact/maturity-model

http://www.jiscinfonet.ac.uk/records-management/measuring-impact/maturity-model


Records (Scotland) Act 2011, Freedom of Information (Scotland) Act 2002 and the provisions contained within the Data Protection Act 1998.

The Maturity Model has been developed using JISC Info Net and aims to give an accurate, reliable and honest summary of the current level of maturity of the records management measures within SLAB. It aims to help with:

identifying and providing evidence of good practice in records management providing evidence of compliance with the Freedom of Information (Scotland)

Act and its Code of Practice identifying gaps and areas of weaknesses which may require improvement measuring the extent to which your institution views records management as

an operational and strategic priority

The benefits of using the Maturity Model

The Maturity Model provides SLAB with an accurate, reliable and honest summary of the current level of maturity of the records management measures within the organisation.

Maturity Model Structure

The Model provides statements summarising four levels of ‘maturity’ against 33 aspects of what constitutes a records management programme designed for ensuring compliance with FOI. The four levels described are:

0 Absent Institution shows no evidence of awareness of the need to take a strategic approach to the management of records;

1 Aware Uncoordinated local attempts to improve records management in response to local issues;

2 Defined Coordinated attempts to improve records management underway across the organisation; and

3 Embedded The effective management of records is fully integrated within SLAB’s strategic and operational activities.

The Elements of the Act – assessed against the Records Management Maturity Model and ISO 15489-1 Records Management are described in detail below..

5


SLAB’s current Records Management Maturity Model mapping and Action Plan can be found at Appendix A.

6


RMP Element Description SLAB Statement Evidence Action Plan

Element 1: Senior management responsibility:

Identify an individual at senior level who has overall strategic accountability for records management.

Section 1(2)(a)(i) of the Act specifically requires a RMP to identify the individual responsible for the management of the authority’s public records. An authority’s RMP must name and provide the job title of the senior manager who accepts overall responsibility for the RMP that has been submitted.

It is vital that the RMP submitted by an authority has the approval and support of that authority’s senior management team. Where an authority has already appointed a Senior Information Risk Owner, or similar person, they should consider making that person responsible for the records management programme. It is essential that the authority identifies and seeks the agreement of a senior post-holder to take overall responsibility for records management. That person is unlikely to have a day-to-day role in implementing the RMP, although they are not prohibited from doing so.

As evidence, the RMP could include, for example, a covering letter signed by the senior post-holder. In this letter the responsible person named should indicate that they endorse the authority’s record management policy (See Element 3).

Read further explanation and guidance about element 1 - http://www.nas.gov.uk/recordKeeping/PRSA/guidanceElement1.asp

Our Director of Corporate Services and Accounts, Graeme Hill, has senior responsibility for all aspects of Records Management, and is the corporate owner of this document.

Graeme Hill also chairs the Public Records (Scotland) Act Project Board which oversees corporate records management activity.

E01-01 “SLAB Records Management Policy” Pages

E01-02 “SLAB Information Governance Policy”

E01 -03 “Sample Minute of PRSA Board”

E01 - 04 “Senior Manager & Staff Responsibilities”

None

7

http://www.nas.gov.uk/recordKeeping/PRSA/guidanceElement1.asp



Element 2: Records manager responsibility:

Identify individual within the authority, answerable to senior management, to have day-to-day operational responsibility for records management within the authority.

Section 1(2) (a)(ii) of the Act specifically requires a RMP to identify the individual responsible for ensuring the authority complies with its plan. An authority’s RMP must name and provide the job title of the person responsible for the day-to-day operation of activities described in the elements in the authority’s RMP. This person should be the Keeper’s initial point of contact for records management issues. It is essential that an individual has overall day-to-day responsibility for the implementation of an authority’s RMP. There may already be a designated person who carries out this role. If not, the authority will need to make an appointment. As with element 1 above, the RMP must name an individual rather than simply a job title. It should be noted that staff changes will not invalidate any submitted plan provided that the all records management responsibilities are transferred to the incoming post holder and relevant training is undertaken. This individual might not work directly for the scheduled authority. It is possible that an authority may contract out their records management service. If this is the case an authority may not be in a position to provide the name of those responsible for the day-to-day operation of this element. The authority must give details of the arrangements in place and name the body appointed to carry out the records management function on its behalf. It may be the case that an authority’s records management programme has been developed by a third party. It is the person operating the programme on a day-to-day basis whose name should be submitted.


Our existing RM Policies have Deborah Dillon, Records Management Specialist as having day to day operational responsibility for Records Management. Deborah reports to Graeme Hill.

Deborah is a member of the Information and Records Management Society (IMRS).

Carolyn Pearson is the Business Reviewer and currently Deborah’s deputy. Carolyn will be assisting with the implementation of the RMP with a view to the full optimisation of business efficiencies across the organisation.

Graeme Hill owns all the Actions identified in the Action Plan section of this document.

E01-01 “SLAB Records Management Policy”

E01-02 “SLAB Information Governance Policy”

E02-01 “Job description for Records Management Specialist”

None

8



Element 3: Records management policy statement:

A records management policy statement underpins effective management of an authority’s records and information. It demonstrates to employees and stakeholders that managing records is important to the authority and serves as a mandate for the activities of the records manager.

The Keeper expects each authority’s plan to include a records management policy statement. The policy statement should describe how the authority creates and manages authentic, reliable and useable records, capable of supporting business functions and activities for as long as they are required. The policy statement should be made available to all staff, at all levels in the authority. The statement will properly reflect the business functions of the public authority. The Keeper will expect authorities with a wide range of functions operating in a complex legislative environment to develop a fuller statement than a smaller authority. The records management statement should define the legislative, regulatory and best practice framework, within which the authority operates and give an overview of the records management processes and systems within the authority and describe how these support the authority in carrying out its business effectively. For electronic records the statement should describe how metadata is created and maintained. It should be clear that the authority understands what is required to operate an effective records management system which embraces records in all formats.

The records management statement should include a description of

The Board has a records management policy. The current version is due for annual review in February 2014. It is published on the corporate intranet.

Accompanying the policy are specific procedural documents providing practical guidance on different aspects of records management.

E01-01 SLAB “Records Management Policy”

E03-01 SLAB “Staff Guidance - Email Retention”

E03-02 SLAB “Staff Guidance - Document Version Control and Naming Conventions”

E03-03 SLAB “Staff Guidance – Procedure on Document Metadata”

E03-04 SLAB “Staff Guidance on Paper File Management”

E03 –05 ‘Briefly Newsletter’ Staff Awareness Articles

RMP03 – 01 Develop Procedures on Records Management during office moves.

Status - ongoing

9


the mechanism for records management issues being disseminated through the authority and confirmation that regular reporting on these issues is made to the main governance bodies. The statement should have senior management approval and evidence, such as a minute of the management board recording its approval, submitted to the Keeper. The other elements in the RMP, listed below, will help provide the Keeper with evidence that the authority is fulfilling its policy. Read further explanation and guidance about element 3 -


Element 4: Business classification

A business classification scheme describes what business activities the authority undertakes – whether alone or in partnership.

The Keeper expects an authority to have properly considered business classification mechanisms and its RMP should therefore reflect the functions of the authority by means of a business classification scheme or similar.

A business classification scheme usually takes the form of a hierarchical model or structure diagram. It records, at a given point in time, the informational assets the business creates and maintains, and in which function or service area they are held. As authorities change the scheme should be regularly reviewed and updated.

A business classification scheme allows an authority to map its functions and provides a structure for operating a disposal schedule effectively.

Some authorities will have completed this exercise already, but others may not. Creating the first business classification scheme can be a time-consuming process, particularly if an authority is complex, as it involves an information audit to be undertaken. It will necessarily involve the

The Board does not currently have a formal Business Classification scheme as currently many of the processes are undergoing redesign. This is currently being worked on with the Business Efficiency Review Unit (BERU).

The Information Governance area is Business Classified and acts as a ‘one stop shop’ for Records Management, Data Protection, Freedom of Information, IS Security and Knowledge Management across the organisation.

The Board will be introducing a Share Point system later this financial year and a Business Classification Scheme will be incorporated into the system as a Records Repository.

E04-01 Screen capture of Information Governance Business Classification Scheme.

E04-02 Extract minute of PRSA Project Board on Business Classification

E04-03 SLAB “Briefly Article – Introducing Information Governance Business Classification Scheme” as a ‘one stop shop’ for all information related needs.

RMP04 – 01 Work with the Business Efficiency and Review Unit (BERU) to develop the SLAB Business Classification Scheme.

Status - ongoing

RMP04-02 Contributing with National Government initiatives on development and the introduction of Business Classification scheme.

Status - ongoing

RMP04-03 Assess effectiveness and appropriateness of BSC

10


cooperation and collaboration of several colleagues and management within the authority, but without it the authority cannot show that it has a full understanding or effective control of the information it keeps.

Although each authority is managed uniquely there is an opportunity for colleagues, particularly within the same sector, to share knowledge and experience to prevent duplication of effort.

All of the records an authority creates should be managed within a single business classification scheme, even if it is using more than one record system to manage its records. An authority will need to demonstrate that its business classification scheme can be applied to the record systems which it operates.


Information Governance after 12 months of usage.

Status - ongoing

11




Element 5: Retention schedulesA retention schedule is a list of records for which pre-determined disposal dates have been established.

Section 1(2) (b)(iii) of the Act specifically requires a RMP to include provision about the archiving and destruction or other disposal of the authority’s public records.

An authority’s RMP must demonstrate the existence of and adherence to corporate records retention procedures. The procedures should incorporate retention schedules and should detail the procedures that the authority follows to ensure records are routinely assigned disposal dates, that they are subsequently destroyed by a secure mechanism (see element 6) at the appropriate time, or preserved permanently by transfer to an approved repository or digital preservation programme (See element 7).The principal reasons for creating retention schedules are: to ensure records are kept for as long as they are needed and then

disposed of appropriately to ensure all legitimate considerations and future uses are considered in

reaching the final decision. to provide clarity as to which records are still held by an authority and

which have been deliberately destroyed.“Disposal” in this context does not necessarily mean destruction. It includes any action taken at the agreed disposal or review date including migration to another format and transfer to a permanent archive.A retention schedule is an important tool for proper records management. Authorities who do not yet have a full retention schedule in place should show evidence that the importance of such a schedule is acknowledged by the senior person responsible for records management in an authority (see element 1). This might be done as part of the policy document (element 3). It should also be made clear that the authority has a retention schedule in development.

An authority’s RMP must demonstrate the principle that retention rules are consistently applied across all of an authority’s record systems.Read further explanation and guidance about element 5 - http://www.nas.gov.uk/recordKeeping/PRSA/guidanceElement5.asp

The Board has a detailed ‘Document, Storage, Retention and Disposal’ Policy. This is departmental specific with many departments being unique to the Board.

This is further strengthened by Staff Guidance on Email Retention and Document Version Control and Naming Conventions.

E05-01 “SLAB Document Storage, Retention and Disposal Policy”.

E05-02 Extract from in house records storage lists showing destroyed life-expired records.

E03-01 “SLAB Staff Guidance on Email Retention”

E03-02 “SLAB Document Version Control and Naming Conventions”

RMP05 -01 Introduce a schedule of regular transfers of Corporate Documents to NRS.

Status: ongoing

RMP05 - -02 Our contract with Iron Mountain is currently being re-negotiated and once in place - we will begin calling back boxes for destruction in line with our retention schedules.

Status: ongoing

12



Element 6: Destruction arrangements

It is not always cost-effective or practical for an authority to securely destroy records in-house. Many authorities engage a contractor to destroy records and ensure the process is supervised and documented.

Section 1(2) (b)(iii) of the Act specifically requires a RMP to include provision about the archiving and destruction, or other disposal, of an authority’s public records.

An authority’s RMP must demonstrate that proper destruction arrangements are in place.

A retention schedule, on its own, will not be considered adequate proof of disposal for the Keeper to agree a RMP. It must be linked with details of an authority’s destruction arrangements. These should demonstrate security precautions appropriate to the sensitivity of the records. Disposal arrangements must also ensure that all copies of a record – wherever stored – are identified and destroyed.


All physical Board documents and records are subject to secure disposal under contract to Shred-It:

The contract details ISO accreditation, insurance certificate and employer’s liability.

Shred-It dispose of confidential documents directly from offices. This contract has been in place since 2009.

IS will implement retention schedules on all electronic records and regularly review these.

The Board will be implementing a Sharepoint System through which it will be able to operate its ‘Document Storage, Retention and Disposal Policy’ across all electronic records. It is anticipated that this will be rolled out during this current financial year.

E06-01 “SLAB staff guidance on confidential disposal of records”

E06-02 “Details of Shred-It security arrangements”.

E06-03 “Sample destruction certificates”.

RMP06 – 01 Deploy retention management when Sharepoint system is rolled out later this financial year.

RMP03 – 01 Develop Procedures on Records Management during office moves.

Status: ongoing

13




Element 7: Archiving and transfer arrangements

This is the mechanism by which an authority transfers records of enduring value to an appropriate archive repository, specifying the timing of transfers and other terms and conditions.

Section 1(2)(b)(iii) of the Act specifically requires a RMP to make provision about the archiving and destruction, or other disposal, of an authority’s public records.

An authority’s RMP must detail its archiving and transfer arrangements and ensure that records of enduring value are deposited in an appropriate archive repository. The RMP will detail how custody of the records will transfer from the operational side of the authority to either an in-house archive, if that facility exists, or another suitable repository, which must be named. The person responsible for the archive should also be cited.

Some records continue to have value beyond their active business use and may be selected for permanent preservation. The authority’s RMP must show that it has a mechanism in place for dealing with records identified as being suitable for permanent preservation. This mechanism will be informed by the authority’s retention schedule which should identify records of enduring corporate and legal value. An authority should also consider how records of historical, cultural and research value will be identified if this has not already been done in the retention schedule. The format/media in which they are to be permanently maintained should be noted as this will determine the appropriate management regime.

Read further explanation and guidance about element 7- http://www.nas.gov.uk/recordKeeping/PRSA/guidanceElement7.asp

The Board has been involved in meeting with the National Records Scotland (NRS) in setting up a Memorandum of Understanding between the Keeper of the Records of Scotland and SLAB. Documents relating to Corporate Plans, Annual Reviews and Research Documentation will be archived with NRS. This arrangement will be reviewed every 3 – 5 years.

E07 -01 Draft “Memorandum of Understanding” between the Keeper of the Records of Scotland (The Keeper) and the Scottish Legal Aid Board.

RMP07 – 01 Regular contact is to be kept with NRS with regards to document transfers and the updating and review of the MoU.

Status: ongoing

14




Element 8: Information Security

Information security is the process by which an authority protects its records and ensures they remain available. It is the means by which an authority guards against unauthorised access and provides for the integrity of the records. Robust information security measures are an acknowledgement that records represent a risk as well as an asset. A public authority should have procedures in place to assess and contain that risk.

Section 1(2) (b)(ii) of the Act specifically requires a RMP to make provision about the archiving and destruction or other disposal of the authority’s public records.

An authority’s RMP must make provision for the proper level of security for its public records.

All public authorities produce records that are sensitive. An authority’s RMP must therefore include evidence that the authority has procedures in place to adequately protect its records. Information security procedures would normally acknowledge data protection and freedom of information obligations as well as any specific legislation or regulatory framework that may apply to the retention and security of records.

The security procedures must put in place adequate controls to prevent unauthorised access, destruction, alteration or removal of records. The procedures will allocate information security responsibilities within the authority to ensure organisational accountability and will also outline the mechanism by which appropriate security classifications are linked to its business classification scheme.

Information security refers to records in all or any format as all are equally vulnerable. It refers to damage from among other things: computer viruses, flood, fire, vermin or mould.

Current or semi-current records do not normally require archival standard

The Board operates an existing Computer Usage Policy and operates a range of procedures around its IT.

The Board is pro-active in its approach to information risk through the corporate risk register

There are two levels to security tests, full penetration testing and vulnerability scans. The former is done once a year (in April) and is an extensive test of systems covering both access without credentials and also ‘deep’ testing of systems with a given set of credentials. The vulnerability scans are then done quarterly to compliment the ‘full’ test but only cover threats without credentials.

Board PCs are protected by port control to prevent downloading of data to unencrypted media.

All Information Asset Owners (“IAOs”) are currently attending a quarterly training programme with updates from the Information Commissioners Office and also Information Security Specialists detailing best practice in key Information Security and data

E06-01 “SLAB staff guidance on confidential disposal of records”

E06-02 “Details of Shred-It security arrangements.”

E06-03 “Sample destruction certificates”.

E08 – 01 “SLAB Computer Usage Policy”.

E08 – 02 “SLAB Network and Desktop Policy”

E08 – 03 “Programme of Planned ‘Information Asset Owners’ events’.

E08 – 04 “Role of Information Asset Owner”

E03 – 05 “Briefly Newsletter’ Staff Awareness Articles”

None

15


storage. Physical records will however survive far better in a controlled environment. In broad terms the environment for current records should not allow large changes in temperature or excess humidity (as increased high temperatures and humidity are more likely to cause mould). If records are not adequately protected then the risk that the records could be damaged and destroyed is potentially higher and could lead to significant reputational and financial cost to the business.


protection areas.

16




Element 9: Data protectionAn authority that handles personal information about individuals has a number of legal obligations to protect that information under the Data Protection Act 1998.

The Keeper will expect an authority’s RMP to indicate compliance with its data protection obligations. This might be a high level statement of public responsibility and fair processing.

If an authority holds and process information about stakeholders, clients, employees or suppliers, it is legally obliged to protect that information. Under the Data Protection Act, an authority must only collect information needed for a specific business purpose, it must keep it secure and ensure it remains relevant and up to date. The authority must also only hold as much information as is needed for business purposes and only for as long as it is needed. The person who is the subject of the information must be afforded access to it on request.


The Board has in-place wide-ranging data protection controls including high-level procedures, staff training and guidance for specific activities .

Staff training in ‘Protecting Information’ covers Data Protection at three different levels.

All IAOs are currently attending a quarterly training programme with updates from the Information Commissioners Office detailing best practice in key data protection areas.

E09-01 “SLAB ICO Registration”

E09-02 “SLAB Data Protection Policy 2013”

E09-03 “ICO Subject Access Request Guidance – used by staff”

E09-04 “SLAB Subject Access Request procedures”

E09 -05 SLAB ‘Protecting Information’ training – Levels 1/2/3 Screen Shots

E09-06 “Examples of SLAB specific privacy notices”

E09-07 “SLAB Access to Information – link to external website”

E08-03 “Programme of planned IAO Events.”

RMP14 – 01 SLAB will develop Data Sharing Guidance to reinforce protection of personal data shared with third parties by the end of financial year.

RMP14 – 02 SLAB staff will undertake ‘Protecting Information’ refresher on an annual basis.

17




Element 10: Business continuity and vital recordsA business continuity and vital records plan serves as the main resource for the preparation for, response to, and recovery from, an emergency that might affect any number of crucial functions in an authority.

The Keeper will expect an authority’s RMP to indicate arrangements in support of records vital to business continuity. Certain records held by authorities are vital to their function. These might include insurance details, current contract information, master personnel files, case files, etc. The RMP will support reasonable procedures for these records to be accessible in the event of an emergency affecting their premises or systems.

Authorities should therefore have appropriate business continuity plans ensuring that the critical business activities referred to in their vital records will be able to continue in the event of a disaster. How each authority does this is for them to determine in light of their business needs, but the plan should point to it.


The Board has robust business continuity plans for each site. These are subject to regular updates.

The Board has not previously made any separate provision for vital records, due to all network content being subject to back-up and storage on the Board’s remote Storage Area Network which is hosted by the Scottish Government.

All incoming mail is scanned inline with operating procedures and document management procedures. Both of these documents have recently been revised

As part of migration to an electronic document management system, key hard copy records have been scanned.

E10-01 “SLAB Business Continuity Plan” (personal data redacted)

E10-02 “SLAB Scanning mail Procedures”.

E10-03 “SLAB Document Management Procedures”.

RMP10-01 SLAB’s Business Continuity Plans are currently being revised within the Board. The Records Management Specialist will be involved in the Business Continuity group and review the new plans for Business Continuity by the end of September 2013 to assess whether they make adequate provision for the Board’s vital records.

Action: Document Management Procedures for paper records to be developed for potential disaster recovery.


18



Element 11: Audit trailAn audit trail is a sequence of steps documenting the movement and/or editing of a record resulting from activities by individuals, systems or other entities.

The Keeper will expect an authority’s RMP to provide evidence that the authority maintains a complete and accurate representation of all changes that occur in relation to a particular record. For the purpose of this plan ‘changes’ can be taken to include movement of a record even if the information content is unaffected. Audit trail information must be kept for at least as long as the record to which it relates.

This audit trail can be held separately from or as an integral part of the record. It may be generated automatically, or it may be created manually.


With regards to systems access - the Board opts for the simpler option of limiting what any individual can access and do by controlling their read / write access permissions through menus, roles and responsibilities set on the systems rather than tracing every transaction made by that individual. That is the individual has a delegated authority (documented) to make certain transactions and is prevented by either physical or logical access controls for performing other transactions. Staff access to systems is subject to line manager authorisation.

For example on Paybase 10 (used for all BACS payments) Receipts and Payments staff can set up and submit the payment using their hardware security management (“HSM”)PIN but it needs a separate HSM PIN held by Accounts & Budgeting staff (or the Financial Controller) to approve the payment before it can be submitted.

All project documentation has an audit trail that is continually updated throughout its life cycle. The Board has purchased the licence for Sharepoint but this has not be rolled out yet due to other system commitments.

E11 – 01 “Example of audit trail from project documentation”.

E11 – 02 “Microsoft Licence Agreement evidencing Sharepoint”

RM11-01 Sharepoint (once introduced) will have the facility to have a full audit trail for records.

Ongoing

19




Element 12: Competency framework for records management staffA competency framework lists the core competencies and the key knowledge and skills required by a records manager. It can be used as a basis for developing job specifications, identifying training needs, and assessing performance.

The Keeper will expect an authority’s RMP to detail a competency framework for person(s) designated as responsible for the day-to-day operation of activities described in the elements in the authority’s RMP. It is important that authorities understand that records management is best implemented by a person or persons possessing the relevant skills.A competency framework outlining what the authority considers are the vital skills and experiences needed to carry out the task is an important part of any records management system. If the authority appoints an existing non-records professional member of staff to undertake this task, the framework will provide the beginnings of a training programme for that person.

The individual carrying out day-to-day records management for an authority might not work for that authority directly. It is possible that the records management function is undertaken by a separate legal entity set up to provide functions on behalf of the authority, for example an arm’s length body or a contractor. Under these circumstances the authority must satisfy itself that the supplier supports and continues to provide a robust records management service to the authority. The authority’s RMP must confirm that it is satisfied by the standard of the records management provided by the supplier and name the organisation that has been appointed to carry out records management on the authority’s behalf.

Where an authority’s records management system has been put in place by a third party, but is operated on a day-to-day basis by a member of staff in the authority, it is the competencies of that member of staff which should be confirmed, not those of the third party supplier of the system. Read further explanation and guidance about element 12 - http://www.nas.gov.uk/recordKeeping/PRSA/guidanceElement12.asp

The Board operates adequate CPD arrangements for all staff, including its information professionals, allocates resources for their training.

‘Protecting Information’ training has been sourced via the Scottish Government. This has been rolled out to all staff and is mandatory depending on role. There are three levels to the training depending upon role. ‘Protecting Information’ covers all aspects of Safe Information handling, including record keeping.

Records Management Training has been given to staff that have direct responsibility for creating records.

The Records Management Specialist has a BA in Law and relevant MSc qualification and is also a member of the Information, Records Management Society (IRMS).

The Business Reviewer has a BSC Honours in Data Quality, is a Member of the Chartered Quality Institute and also a member of the Information, Records Management Society.

E02-01 “Job description for Records Management Specialist”

E12-01 “Information Governance Training paper (including staff competencies)”

E12-02 Records Management Training Slides

None

20




Element 13: Assessment and reviewRegular self-assessment and review of records management systems will give an authority a clear statement of the extent that its records management practices conform to the Records Management Plan as submitted and agreed by the Keeper.

Section 1(5) (i)(a) of the Act says that an authority must keep its RMP under review.

An authority’s RMP must describe the procedures in place to regularly review it in the future.

It is important that an authority’s RMP is regularly reviewed to ensure that it remains fit for purpose. It is therefore vital that a mechanism exists for this to happen automatically as part of an authority’s internal records management processes.

A statement to support the authority’s commitment to keep its RMP under review must appear in the RMP detailing how it will accomplish this task.


The Board routinely includes review dates within policies and procedures throughout the organisation.

The Record Keeping provisions within the Board have been assessed using the Records Management Maturity Model.

The 2013-14 Records Management Action Plan will detail improvement actions that will be undertaken over the forthcoming year.

The review date for the RM Plan is June 2014.

E13-01 “Excerpt from IS policy update schedule.”

E13-02 “Excerpt from Records Management Maturity Model”

E13-03 “2013-2014 SLAB Records Management Action Plan.”

RMP13-01 Progress against this Records Management Action Plan will be reported to the SLAB Information Governance Group on a quarterly basis, with a comprehensive review in June 2014.

21




Element 14: Shared Information

Under certain conditions, information given in confidence may be shared. Most commonly this relates to personal information, but it can also happen with confidential corporate records.

The Keeper will expect an authority’s RMP to reflect its procedures for sharing information. Authorities who share, or are planning to share, information must provide evidence that they have considered the implications of information sharing on good records management.

Information sharing protocols act as high level statements of principles on sharing and associated issues, and provide general guidance to staff on sharing information or disclosing it to another party. It may therefore be necessary for an authority’s RMP to include reference to information sharing protocols that govern how the authority will exchange information with others and make provision for appropriate governance procedures.

Specifically the Keeper will expect assurances that an authority’s information sharing procedures are clear about the purpose of record sharing which will normally be based on professional obligations. The Keeper will also expect to see a statement regarding the security of transfer of information, or records, between authorities whatever the format.

Issues critical to the good governance of shared information should be clearly set out among parties at the earliest practical stage of the information sharing process. This governance should address accuracy, retention and ownership. The data sharing element of an authority’s RMP should explain review procedures, particularly as a response to new legislation.

Read further explanation and guidance about element 14 -

The Board currently has in place Information Sharing Protocols and other appropriate arrangements with key external parties with whom it shares personal data.

Confidentiality terms are included in all contracts with third parties.

Mandates are signed by Legal Aid Applicants and Solicitors in order to share their personal information with the Board in terms of granting Legal Aid Applications.

E14-01 “Example of Legal Aid Mandate”

E14-02 “Excerpt of a Data Sharing Agreement”

E14 – 03 SLAB Data Agreement Non-DP

E14 – 04 Final Data Sharing Agreement Process

E14 – 05 Lead Application Form

E14 -06 Standard Confidentiality Clauses within the Board’s in-house versions of the SGTCs (Scottish Govt Terms and Conditions)

RMP 14– 01 SLAB will develop Data Sharing Guidance to reinforce protection of personal data shared with other parties by the end of 2013

RMP 14 – 02 SLAB will review arrangements with procurement regarding provisions in contracts for sharing information.

Ongoing

22



Appendix A

Records Management Maturity Model and Action Plan – Summary Report Maturity level average to date

A Institutions should have in place organisational arrangements that support records management 2

23


Action: Records management will be included in discussions in initial project development and discussed as part of the project plans. Information Asset Owners are responsible for ensuring record keeping standards in their particular areas - ongoing Expected Maturity Level Outcome 3

B Institutions should have in place a records management policy, either as a separate policy as a part of wider information or management policy. - No action 3

C Institutions should ensure they keep the records they will need for business, regulatory, legal and accountability purposes

Action: Share point document management system will be implemented in the organisation that will include retention periods as standard.. Managers will develop a sound grasp of RM considerations with the introduction of new technologies and systems and seek appropriate strategies as a response - ongoing

Expected Maturity Level Outcome 3

2

D Institutions should keep their records in systems that enable records to be stored and retrieved as necessary.

Action: Records are to be included into Business Continuity Planning process with copies of what is held on systems stored alongside other disaster recovery records. A range of audience specific guidance is created and regularly updated for administrators and users to consult. - ongoing


2

E Institutions should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required.

Action: Share point is being introduced, this will facilitate ease of finding records and a register of vital records is updated regularly in the Board.


2

F Institutions should ensure that records are stored securely and that access to them is controlled.

Action: The anticipated move of premises will facilitate organisational change with regards to the security of rooms. Procedures will being put in place for the change to electronic records for all applications to the Board. – ongoing


2

24


G Institutions should define how long they need to keep particular records, should dispose of them when no longer needed. - ongoing

Action: Records to continue to be reviewed in line with Document Retention, Disposal and Destruction Policy. Expected Maturity Level Outcome 3

2.5

H Institutions should ensure that records shared with other bodies or held on their behalf by other bodies are managed in accordance with Data Sharing Policies. – ongoing

Action: Records management controls to be applied to information being passed to or shared with other organisations. Expected Maturity Level Outcome 3

See Element 14 – Action Plan

2

The Boards takes its records management responsibilities seriously. All actions contained herewith within this document will be addressed before this plan is reviewed as part of a detailed ‘continuous improvement’ work - stream here at the Board.

25


References

Public Records Act Introduction – http://www.nas.gov.uk/recordKeeping/publicRecordsActIntroduction.asp

‘Section 61’ – Records Management Code of Practice – http://www.scotland.gov.uk?About/FOI/18022/13383

University of Edinburgh, Records Management – http://www.recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/records_management_for_staff.htm

The National Archives – http://www.nationalarchives.gov.uk/information-management/default.htm

International Records Management Trust – http://irmt.org

Records Management Guidance for the South African Government – www.national.archives.gov.za

JISC InfoNet – http://www.jiscinfonet.ac.uk/records-management/measuring-impact

NAS Staff Responsibility – http://nas.gov.uk/recordKeeping/PRSA/documents/element1-NAS.pdf

Complying with Records Management Code: Evaluation and Methodology: http://www.nationalarchives.gov.uk/documents/module3.pdf

Scottish Police Information Management Strategy: - http://www.nas.gov.uk/recordKeeping/PRSA/documents/element3-SPSAStrategy.pdf

Information Commissioners Records Management Policy: http://www.nas.gov.uk/recordKeeping/PRSA/documents/element3-IC.pdf

The Moray Council Records Management Strategy: http://www.moray.gov.uk/moray_standard/page_46084.html

* Please note that this is not an exhaustive list

26